package com.liuxn.dubbo.sample.demo.util.xss;

import org.springframework.util.StringUtils;
import org.springframework.web.multipart.MultipartHttpServletRequest;
import org.springframework.web.multipart.commons.CommonsMultipartResolver;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import java.util.HashMap;
import java.util.Map;
import java.util.Set;
import java.util.regex.Pattern;

/**
 * @ClassName XssRequestWrappers
 * @Author zmm
 * @Version 1.0
 */
public class XssRequestWrappers extends HttpServletRequestWrapper {
    private CommonsMultipartResolver multiparResolver = new CommonsMultipartResolver();

    public XssRequestWrappers(HttpServletRequest request) {
        super(request);

        String type = request.getHeader("Content-Type");
        if (!StringUtils.isEmpty(type) && type.contains("multipart/form-data")) {
            MultipartHttpServletRequest multipartHttpServletRequest = multiparResolver.resolveMultipart(request);
            Map<String, String[]> stringMap = multipartHttpServletRequest.getParameterMap();
            if (!stringMap.isEmpty()) {
                for (String key : stringMap.keySet()) {
                    String value = multipartHttpServletRequest.getParameter(key);
                    striptXSS(key);
                    striptXSS(value);
                }
            }
            super.setRequest(multipartHttpServletRequest);
        }
    }

    @Override
    public String[] getParameterValues(String parameter) {
        String[] values = super.getParameterValues(parameter);
        if (values == null) {
            return null;
        }
        int count = values.length;
        String[] encodedValues = new String[count];
        for (int i = 0; i < count; i++) {
            encodedValues[i] = striptXSS(values[i]);
        }
        return encodedValues;
    }

    @Override
    public String getParameter(String parameter) {
        String value = super.getParameter(parameter);
        return striptXSS(value);
    }

    @Override
    public String getHeader(String name) {
        String value = super.getHeader(name);
        return striptXSS(value);
    }

    @Override
    public Map<String, String[]> getParameterMap() {
        Map<String, String[]> map1 = super.getParameterMap();
        Map<String, String[]> escapseMap = new HashMap<String, String[]>();
        Set<String> keys = map1.keySet();
        for (String key : keys) {
            String[] valArr = map1.get(key);
            if (valArr != null && valArr.length > 0) {
                String[] escapseValArr = new String[valArr.length];
                for (int i = 0; i < valArr.length; i++) {
                    String escapseVal = striptXSS(valArr[i]);
                    escapseValArr[i] = escapseVal;
                }
                escapseMap.put(key, escapseValArr);
            }
        }

        return escapseMap;
    }

	//处理非法内容，如果有新的在此处增加即可
    public static String striptXSS(String value) {
        if (value != null) {
            // 替换空字符串，以便清除潜在的恶意脚本
            value = value.replaceAll("", "");

            // 移除<script>标签及其内容
            Pattern scriptPattern = Pattern.compile("<script>(.*?)</script>", Pattern.CASE_INSENSITIVE);
            value = scriptPattern.matcher(value).replaceAll("");

            // 移除带有src属性的标签，支持单引号和双引号包围的属性值
            scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\'(.*?)\\\'", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
            value = scriptPattern.matcher(value).replaceAll("");
            scriptPattern = Pattern.compile("src[\r\n]*=[\r\n]*\\\"(.*?)\\\"", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
            value = scriptPattern.matcher(value).replaceAll("");

            // 移除</script>标签
            scriptPattern = Pattern.compile("</script>", Pattern.CASE_INSENSITIVE);
            value = scriptPattern.matcher(value).replaceAll("");

            // 移除以<script...>开头的标签
            scriptPattern = Pattern.compile("<script(.*?)>", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
            value = scriptPattern.matcher(value).replaceAll("");

            // 移除eval()函数调用
            scriptPattern = Pattern.compile("eval\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
            value = scriptPattern.matcher(value).replaceAll("");

            // 移除expression()函数调用
            scriptPattern = Pattern.compile("e­xpression\\((.*?)\\)", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
            value = scriptPattern.matcher(value).replaceAll("");

            // 移除以"javascript:"开头的字符串
            scriptPattern = Pattern.compile("javascript:", Pattern.CASE_INSENSITIVE);
            value = scriptPattern.matcher(value).replaceAll("");

            // 移除以"vbscript:"开头的字符串
            scriptPattern = Pattern.compile("vbscript:", Pattern.CASE_INSENSITIVE);
            value = scriptPattern.matcher(value).replaceAll("");

            // 移除以"onload..."开头的字符串
            scriptPattern = Pattern.compile("onload(.*?)=", Pattern.CASE_INSENSITIVE | Pattern.MULTILINE | Pattern.DOTALL);
            value = scriptPattern.matcher(value).replaceAll("");

            // 移除包含任何<和>字符的字符串
            scriptPattern = Pattern.compile(".*<.*", Pattern.CASE_INSENSITIVE);
            value = scriptPattern.matcher(value).replaceAll("");
        }

        // 返回处理后的字符串
        return value;
    }
}
